Posted
by
ScuttleMonkeyon Monday January 05, 2009 @05:47PM
from the ambition-can-carry-you-just-so-far dept.

An anonymous reader writes "Wired has the inside story of Max Butler, a former white hat hacker who joined the underground following a jail stint for hacking the Pentagon. His most ambitious hack was a hostile takeover of the major underground carding boards where stolen credit card and identity data are bought and sold. The attack made his own site, CardersMarket, the largest crime forum in the world, with 6,000 users. But it also made the feds determined to catch him, since one of the sites he hacked, DarkMarket.ws, was secretly a sting operation run by the FBI."

Yeah, many years ago (in my teens) I had the ambition to be "the next bill gates", and now as I write small to medium websites and private applications from my couch, covered in empty red bull cans and small food bags, I think I managed pretty well!

I've noticed a few of these "What's up with teh red stories on teh front page" comments lately. Are the posters truly unaware of the significance of the red border, or are these posts a variation on the Obama turd trolls or something? I've seen similar comments posted in other threads. Some - like this one - even go so far as to post a link to a screen shot, to "prove" that they really saw a story in red!!!

Mind you, I had the same "am I losing my mind?" reaction when the user page was changed without warnin

Here [slashdot.org]'s a thread from yesterday that has a lot of posts about it. Logged in non-subscribers and ACs report seeing stories with red borders, so either everyone has been granted access to stories from the mysterious future or something's broken (borken???). Taco's journal may yield some clues, but I'm cooking dinner right now.

I get sick of explaining this, but the sig (which could not completely fit because of/.) is supposed to infinitely loop like that. I'm fully aware that getch() is only found in DOS's conio.h (and the ncurses lib), but even The C Programming Language references it, without providing the code for it (or even a header inclusion, for that matter). The full code snippet (forgive me, mods) is this:

And this was used in an old app I wrote (a long time ago) - a fake COMMAND.COM/cmd.exe used to prank anyone who used it religiously, mainly a teacher I had that pinged something every about five minutes.

Now can we move on? (And if thats you, peter, then you obviously are new here).

Any-key-humor was slightly funny twenty years ago when Homer Simpson couldn't find the Any key.

``Press any key'' unambiguously means that any keyboard input is acceptable.

The real point of the humor is that users (who are native English speakers) get so acustomed to grammatically-gutted error messages which lack proper capitalization, punctuation and the use of articles like "a" and "the", that they no longer parse ``press any key'' in the obvious way. It's a computer message so there must be article missin

I went to school with Max Butler. He's driven by constant challenges. I knew Max as a friend and as such witnessed the same vitriol and hatred he put up with from others who did not understand him. Teachers often openly mocked him, especially in computer science courses.

His escape from it all came from hacking. He noticed he had a particular knack for it. He'd get really engrossed, and it became sort of a downward spiral from there. If you know anyone like him, please do not ostracize him in his forming years. Imagine if he had been a solid, contributing member of society like timecop, or the millions of other good natured people that run trolling organizations that specialize in making fools out of idiots like yourself.

I went to school with Anonymous Coward. He's driven by shame. I knew AC as a friend and witnessed the same vitriol and hatred he put up with from others who did not understand him. Users often openly mocked him, especially after he posted comments about Apple Computer.

His escape came from posting. He noticed he had a particular knack for it. He'd sometimes post a thousand times a day to Slashdot (just check the logs and you can verify this for yourself). If you know others like him (such as Anonymous Howard, Eponymous Dotard, Androgynous Blowhard), please do not euthanize him in his cromulent fears.

I think, by declaring liberals as extremists, you pretty well defined hypocrisy with your post.

You use your first 2 sentences to denounce up a type of behavior, and then engage in that very behavior in the very next sentence, you didn't even break for paragraph. Thank you for your demonstration, it may even cover cognitive dissonance as well as hypocrisy.

You know damn well that not all (not even most, and you KNOW it) liberals are extremists like that. On top of that you know (you KNOW) that there are con

"Once inside, he sucked out their content, including the logins, passwords, and email addresses of everyone who bought and sold through the sites. And then he decimated them, wiping out the databases with the ease of an arsonist flicking a match."

This seems to be written more like a work of fiction than an account of the hack. The description echo'ed the language used in Jeffery Deaver's "The Blue Nowhere".

Yeah, but just one man alone was able to take out 10% with just a few keystrokes! Such horrific power! Which of the remaining 90% will be next?

After he had access, that is. Yeah, this would be written better if it simply said:"...he was able to take control of the computers. With said control, the computers did everything he told them to do including delete stuff."

Yes, just as "homophobe" only means "afraid of that which is the same as them," "you" is only the polite form of indicating the addressee ("ye" being the casual form), "villa" only means "farm," "awful" only means "deserving of awe," and "girl" only means "young child of either sex," [etymonline.com].

Well, no readership otherwise. For all my SO knows, I could be hacking the great Chinese firewall. She would not know otherwise and would not care. Trying to get Adobe flashplayer 10 64bit alphaOMGpre-release to work on Ubuntu looks exactly the same as hacking the Chinese Embassy's coke machine server to her if there is no narrative to let her know what is exactly happening.

"Once inside, he sucked out their content, including the logins, passwords, and email addresses of everyone who bought and sold through the sites. And then he decimated them, wiping out the databases with the ease of an arsonist flicking a match."

This seems to be written more like a work of fiction than an account of the hack.

True, but I'll bet there were lots of cool graphics swirling around his head while he was doing it!

The article is a work of fiction because the actual details weren't available. The author states at the beginning that the details were recreated from court documents. Given that Poulsen himself is a hacker, it is pretty safe to assume that he guessed pretty closely on the details. There are only so many ways to bust into a web server, and SQL injection along with compromised passwords seems likely enough. As for what he did after he had access, what is so fictional about that? He dumped the data and dropped all of the tables. Ooooo, big stretch of imagination there. We're talking about a serious blend of fantasy and sci-fi right there.

The reality seems to be that the "job experience" gained as a member of a organized criminal enterprise doesn't look very good on a resume. You're right that the money is better, unless you're selling cocaine. In that case, the risk/reward equation is seriously out of wack, especially on a long enough time line.

To require proof (or evidence) of a thing in order to believe it exists is not a belief, but simply rational scepticism.

If I tell you that sea water is made of supernatural jello, you are perfectly capable of asking me for some proof without forming a new "belief" that seawater is *not* made out of supernatural jello. Perhaps, you could argue that valuing scepticism is a belief, but then the onus is not on the GP to disprove God but simply to prove scepticism in general has value (easy).

The Yellow Hat [wikipedia.org] sect of Tibetan Buddhism is the school that the Dalai Lama and Panchen Lama belong to, as opposed to the Nyingma or Red Hat sect which is the school that the Karmapa Lama belongs to.

And if anybody wants you to install a piece of distributed computing software that needs you to install Tibetan fonts and nine gigabytes of RAM on your computer, do be careful...

A good thing. A white hat hacker might break into a network out of curiosity, enrich his knowledge and then alarm the network operators of their problems and even help them with plugging those holes. Penetration testers are white hats too.A black hat would tend to publicize or sell the vulnerabilities without notifying potential victims.A cracker would destroy or alter files and generally wreak havoc.

It wasn't that this guy was whacking other underground sites, it's that he also nailed the FBI's "sting" website. The FBI and him engaged in a turf war, because if there's one thing the government hates, it's stealing. It hates competition.

Months later, Aragon's lawyer gave him some bad news. The Secret Service had cracked Butler's crypto and knew more about the hacker than Aragon didâ"which meant Aragon would probably never be offered a deal, even if he wanted one.

The USS cracked the Whole Disk Encryption of Max Butler.

Now reading about this guy, does Max Butler seem like the kind of guy who is going to keep his WDE password on his PDA?

No, I didn't think so either.

So, what kind would he be likely to use? dm-crypt under Linux? Commercial PGP? Scramdisk? TrueCrypt?

I think more WDE is backdoored than any of us suspect, and my takeaway from that line is that the commercial products aren't to be trusted.

The probably just brute forced the key. It probably required a significant amount of time -- the article does not actually give timescales here, and Aragon's trial could have taken nearly two years, considering the high level operation that we are talking about here. With that much time, and the priority of the case, I would not doubt that the government could have devoted enough CPU time to brute force the password.

There are other ways that they could have gotten the password. For example, they could

Not at all. The final value of this carders hoard of unused dumps was estimated to be in the range of 500 million dollars (at least according to the article) and the USSS was involved along with the FBI in an attempt to shut down the largest consolidated carder site ever assembled by one person. As other posters have pointed out, analysis of keyboard wear (assuming that Mr. Butler didn't have the foresight to regularly change his physical keyboard) might have assisted the effort greatly (yielding a success

No. It would not. It's pretty simple. How many times do you type your password vs. how many times do you type some other word? Try doing some computer simulations if you don't believe me. The data will be lost in noise.

The point of encryption is not to provide absolute protection for all time against all efforts but rather to provide protection for a limited amount of time as a function of the resources of your adversary.

No. The point is to take advantage of math problems that are asymmetrically hard to solve.
The goal is to create the largest force multiplier you can. This is how crypto differs from regular security.
The perfect cipher would be simple enough for a human to compute readily on a single piece of paper while resisting the brute forcing efforts of a computer built using every atom on earth, clocked at one terahertz and running since the beginning of the universe. It's a issue of scale. The "force multiplier" effect avaible from crypto is greater than anything in the physical security world. Imagine instead that instead of working with of E = MC^2, you were working with E = C*2^M. See how it's different? The work required to brute force a key baloons very quickly.

Even the best encryption will eventually fall to a determined enough adversary with enough resources to throw at the problem.

No, actually that's not a certainty.In order for what you said to be true there would have to be fundamental weaknesses in ever cryptographical scheme ever conceived, now or in the future.
If we find even one decent algorithm, free of shortcuts, then by using a large enough key it is possible to ensure that your data is not decoded before the death of the sun.

which sounds reasonable if government super computers were being enlisted in a distributed brute force search of the keyspace.

BASED ON WHAT? Why is months any more reasonable of a timeline to crack an unknown encryption scheme with unknown resources? Why not milliseconds? Why not millenia?

You have NO IDEA, what a reasonable time scale would be and you're just talking out your ass here.

I suppose some my consider me rude for point that out, but there are those of us who find people randomly making things up to support their argument to be rude.

The thing is: people keep saying that good crypto, while breakable, isn't realistically breakable, by which they mean using the entire computational resources of the planet running continuously for thousands of years. No matter how big any government's encryption-cracking farm, it should be a problem orders of magnitude too large. Twofish, for instance, is estimated to take 32 Petabytes of text [wikipedia.org] before any significant progress could be made on decrypting it, while Blowfish [wikipedia.org] has "no known way to break".So the question becomes: does the government have quantum computers, and hasn't let on (and if so, why use them on something like this and let the secret out) or are there vulnerabilities in what we're all calling 'good crypto'.

Or, much more likely, did he actually use good cryptography programs, or did he do something stupid? (Or did the government install keyloggers on his equipment or any of a multitude of other ways of attacking the problem that doesn't involve brute-forcing TrueCrypt, for instance.)

There's only a few algorithms used in WDE, and of those, only AES and CAST have had any chance to be altered by governments. In particular, Blowfish and Serpent are, according to quite a few people, very reliable.

I personally find it very telling that the US government turned down Blowfish despite larger keysize, longer keyspace initialization, non-fixed S-boxes, and better performance, compared to AES.

At any rate, almost none of the current algorithms out there can be brute-forced, period. They're just too

It is very unlikely that the US government would deliberately sabotage the encryption standard for the entire country. It is asking for trouble to do so, since foreign powers are known to be engaged in hacking campaigns against US businesses and agencies, and back doors could be discovered by those powers. I thought we learned this lesson with DES, when the government demanded different S-boxes without telling anyone why, and the S-boxes they chose turned out to make the algorithm more resilient to differ

I personally find it very telling that the US government turned down Blowfish despite larger keysize, longer keyspace initialization, non-fixed S-boxes, and better performance, compared to AES.

You can turn off your conspiracy detector. First, Blowfish wasn't allowed to be used in AES since the call for algorithms required it to handle a block size of 128 bits.

Twofish was submitted but Rijndael was selected because of it's performance in the different types of hardware that they tried. There is a Report on the Development of the Advanced Encryption Standard [nist.gov] [PDF warning], that provides a performance comparison, (by rating it I, II or III), of the various algorithms submitted for AES using a variety of hardware and environments, like 8-bit C and Assembler. (Figures 2, 3 and 4 in the paper.)

Also, the NSA approved AES for use on U.S. Top Secret information. They would hardly do that if there was a known method of cracking it.

It's quite possible to brute-force ten-letter alphanumeric passwords. With some assumptions it should be possible to brute-force even larger passwords.

If cracking a full-disk encryption with a ten-character password takes only five seconds, an eleven-character (assuming that it's case sensitive) password is going to take five minutes. A twelve-character will take about five hours. A thirteen-character, almost two weeks. Fourteen, two years.

That's why you use pass phrases. "Peter Piper Picked A Pickled Pepper!" is a far better password than #$q%{:}, and it's easier to remember. As a bonus, using natural language won't "wear down the keys" any differently, as a sibling poster suggested (although it's a ridiculous idea to begin with and sounds like something out of a movie).

They usually don't show a lot of the so called "hacking" that McGee(computer geek) or Abbey(the hot goth forensic scientist) partake in on screen thus making them almost believable (not quite) that the agents can actually do what they say they are doing...that said, they blundered badly in one episode. I don't recall which but here's how it played out...

McGee was tasked w/ searching a suspects laptop for data and stated to Gibbs that the hard drive had been 100%

AES does not come from the NSA. "AES" stands for "Advanced Encryption Standard", and the algorithm selected, Rijndael, comes from two Belgian cryptographers, Joan Daemen and Vincent Rijmen, who submitted it to the AES selection process. All algorithms that took part were publicly evaluated for five years by the cryptography community at large, and Rijndael was selected pretty much by public acclaim.

Most illegal online loot was fenced through four so-called carder sites--marketplaces for online criminals to buy and sell credit card numbers, Social Security numbers, and other purloined data. One by one, Butler took them down.

The obvious question: why didn't the FBI do this rather than set-up a honeypot site? I understand the focus on gathering evidence, but it is interesting the disruption isn't a more important part of the law-enforcement toolkit.

would you like to give them the legal right to disrupt any website they felt fit before they had enough evidence to proove wrong doing. If there is wrong doing then gather evidence and prosecute and shut down for good, if there isnt wrong doing, leave it, dont cause disruption just because someone has a hunch, or whatever other motives any paranoids/conspiricists/etc would like to add

They are probably not allowed to do it, by law. Until they can prove that a computer is being used for illegal purposes, hacking their way into it and messing with the data stored on it is more likely to get the criminals off "on a technicality" than get them locked away for life.

Maybe it has something to do with computer trespass laws? I'm not a lawyer, but from what I understand, the law enforcement community has to follow the rules. Often times those rules hamper them. Expensive defense lawyers are often focused on the procedures followed when their clients are arrested or investigated. Any anomolies in the procedure could be a get out of jail free card.

For example, I know a guy who got out of a DUI ticket after being stopped at a DUI checkpoint. The court order/warrant/what

recently operation icebreaker brought down some local meth dealers. I bet the same name had been used for similar stings hundreds of times.

Now operation DarkMarket turns out to be a Fed-run honeypot.

How hard could it be to make a dictionary of likely FBI operation names, or even an application to rank the probability of a domain name being based on operation names that have been used on TV in the past ?

dark market was the name of the sting website, not neccecerily the operation, how likely are you to hear the name of an operation at a time such that you can know its something related to what you are doing, where would a meth dealer have herd someone say 'operation icebreaker'?

Hacking is an obsession and an addiction. It can easily take over your life, especially if you are good at it. Finding your next target is like getting in your next fix. It offers the ultimate escape, diversion and self-esteem. In a sense, it is a power trip.
The kind of rush you expirience when your skills pay off is incredible. For some, it is a rush better than sex and drugs combined. It adds a new dimension to an otherwise mundane and seemingly predictable reality.
Some perspective;)

I have been one of Max's friends since HS. It's been most sad watching all this happen. He's such a good guy. He's made some bad choices, but he also has had his life severely constrained because of what happened with his gf in HS.

What the article doesn't really say is that his friends don't actually believe he assaulted her. He was impulsive and kinda wacky, but never hurt anybody, nor ever wanted to. Just think of him, a big kid with long hair standing in front of a box full of old, conservative, Idaho jurors. He's scary lookin'! Convict!!

Anyways, He was in prison while the rest of us went to college and got jobs. He got out and tried to play catch-up, but it was hard with a felony record. So for the rest of his life, he's been an outsider struggling to get in with the rest of us.

He's tried SO hard to do the right thing. But again, his record made it hard to get jobs, and he is so good at security stuff... It's so easy to slip. Again, bad decisions, but he had so few choices! I just wish he'd come to me to borrow money when he needed it rather than accepting these guys' offer. He was always close-mouthed about what he was doing after that. He said many times to me that he wished he could be doing good things too when I'd tell him about what was going on in my work. He had such huge collections of malware and 0day stuff that he kept meaning to organize and distribute to security researchers. He tried to help out with the honeynet project. etc.

My biggest fantasy is that the government would spring him out after a few years, put him in a room with a really smart handler, and let him rip at trying to figure out who spammers are or pentest government facilities for them or something. He could and would do SO much good. But of course, that only happens in the movies. Sigh.

From what he's said to me, there's a lot more stuff that he wants to say, but he can't talk about it until the trial is over. That said, I think that even he is pretty sure that he deserves some punishment for all this. I do too. But I temper this with the belief that he really would be a positive force for good if he were just given a chance. Please consider that before you vilify him.

Max is/was/will always be a guy who stole identities and money other people, in many cases making their lives living Hell. You can toot all you want about the evil FBI, but fact of the matter is that Max is a thief who took things that didn't belong to him.